Portable data headache

04th September 2012

Solving the portable data security headache; by Jeff Sherwood, Vice President Americas of Cryptzone. He writes of how businesses of all sizes can counter the security threats that portable media storage devices – from USB sticks all the way to iPads – now pose a company’s data security.

Protecting intellectual property and sensitive information is a major security concern for any business – especially against the backdrop of workers needing to share documents and files with their colleagues, customers, and partners on a daily basis. The problem facing IT professionals is that all-too-frequently these items contain confidential information, mandating the need for effective file encryption.

But a good data leak prevention platform will go several steps further down the security trail than adding simple file encryption to the smorgasbord that modern IT security systems have become – we have found that there is now a pressing need to create a secure platform for co-workers to collaborate.

If you are moving data around on a company network, protecting the information flow is a relatively easy task – with the right technology in place, of course. But the biggest headache that many company IT professionals face is the one posed by removable media.

In a smaller-sized company, the chances are that the IT department consists of one or two people – typically assisted by one or more local specialists – and the chairman/MD of the company then makes the decisions on which security systems to deploy.

The headache for the company, however, is that relying on a single person to understand the nature of the multiple security threats that the modern technology landscape presents the business is asking for trouble, no matter how knowledgeable that person is in their given trade.

An experienced IT security manager would find it logistically impossible to make all the right decisions – and review those decisions on a regular basis – so expecting a chairman or MD to make the right decisions all of the time is a big ask.

The bottom line, we have observed at Cryptzone is, that a lot more needs to be done on the best practice education front when it comes to security and governance in a small company.

Even with the best planning and support available, the security framework that the small business has in place may be effective most of the time, but we have found that the devil is usually in the detail – meaning that the security framework needs to be comprehensive if it is going to work well all of the time.

Removable media – in all its forms – is a potential security threat for most companies, as it is a relatively trivial task for a member of staff to transfer large volumes of data to their portable media player or smartphone – even the most basic of smartphones these days has around 16 gigabytes of data storage, and you can now buy a USB stick with this capacity in a WH Smith or similar retail outlet for under £10, or so.

Small wonder, then, that more and more PC users are relying on USB sticks (aka flash drives) and portable media devices to assist them in moving their data around.

Critics might argue that, with the arrival of fibre-based broadband services such as BT Infinity and other similar services, it is possible to store and move data around in a cloud computing environment.

Unfortunately, the asymmetric nature of modern broadband services – whether copper or fibre-based – means that the upstream speeds are often a small fraction of the data speeds seen on the downstream link. Put quite simply, it can take an hour or more to move a large volume of data into the cloud, whilst a similar transfer can be accomplished in a few minutes using a humble USB stick.

Until quite recently, many businesses did not allow unprotected USB sticks to be used in the workplace, preferring instead to use secure USB sticks sporting encryption and close integration with on-network security technologies.

The advent of the 16GB budget smartphone – and, of course, the ubiquitous iPhone and iPad – has changed the landscape significantly in this regard. And with a seven-inch iPad and iPhone 5 expected to arrive in stores within the next few months, the penetration levels of portable media devices in the workplace will continue to soar.

The good news here is that, rather than used a secure USB stick, if we approach the data governance issue from the other side and impose layers of security when a portable device is plugged into the company IT system, we can still control the flow of data.

For example, we can employ a set of block, read or read/write options depending on the workstation being accessed, the privilege of the account holder, and the security policies that apply to a given business.

This is particularly important in the modern business environment where people work hard and often take their work home with them. We therefore need to develop a security environment that allows them to work from home, as well as work when they travel.

It’s interesting to note that, in today’s business environment, many users are choosing not to take a laptop computer with them when travelling, as they know there will be a computer of some type available to them at their destination, meaning they can rely on their smartphone to access their email while on the move.

When they reach the distant office or hotel, they plug in their USB stick into the computer and begin going about their business. The USB stick, is a business enabler, so it’s essential that you develop a set of best data security practices within your organisation – and enforce them using on-network security.

Our observations suggest that, where best practice is introduced to the security environment in a given business, those best practices automatically set the scene for regulatory compliance.

Backing up best practices in the security space is the need to enforce encryption at the remote end of a given connection, with enablement being the key. Managers also need to recognise that there are many different types of users – such as the chairman or the worker – in even the smallest of companies. We need to enable and control their data, regardless of who they are.

To develop an effective security mechanism to defend the firm’s data in such situations requires that the security is cost-effective, yet does not interfere with the user experience. The best solution here is to implement design workflow into the process.

By automating the technology – and keeping a grip on the governance of that technology – it becomes possible to save on operating costs for the organisation, whilst at the same time maintaining the best levels of efficiency and security.

The interface to the security system also, we have found, needs to be very similar to current system if the company is to achieve stakeholder buy-in to the technology, where all the staff may not understand how the security technology works, but they do understand why it is there.

Obtaining stakeholder buy-in in this way means that staff can handle situations more effectively when things go wrong, with automated systems reporting back to the people in charge what is happening in real time.

If at all possible, the portable media technology also needs to have a `phone home’ capability, both in order to track what is happening to the data whilst it is on the device in question, and also to permit ongoing access to that data.

This means that, if the portable device does not contact headquarters on a regular basis, access to the data on the device is automatically blocked and/or a remote wipe carried out.

While this may sound like overkill for a small company and its trusted staff, managers need to be aware that today’s trusted employee could be tomorrow’s competitor – in the event that a member of staff is poached, all bets are off on the security of your data.

It’s also worth remembering that the penalties for failing to protect your company’s data are now a lot more than the cost of compliance. Yes, a good security platform will cost money, but far less than the cost of remediating a data breach.